Hello,
I'm in the process of deploying an OpenLDAP cluster with a (simple)
syncrepl configuration, using Kerberos GSSAPI authentication between the
slaves and master. In testing this has worked fine; however the original
ticket expires the connection fails without the client noticing. This
has already been discussed at the thread ending with
http://www.openldap.org/lists/openldap-software/200608/msg00342.html
so I'm not asking for a rehash of that. However I am puzzled by the
discrepancy between the statement "As mentioned on this list numerous
times, do *not* use MIT kerberos with OpenLDAP. Bad things happen. Use
Heimdal Kerberos." and the advice given at
http://www.openldap.org/doc/admin24/install.html#{{TERM[expand]Kerberos}}
which suggests (or at least implies) that MIT kerberos is usable with
OpenLDAP.
Is anything likely to change in this regard? Having looked into the
issue it does seem that fixing this with MIT kerberos would require (at
a minimum) changing the SASL library, and any such change would be a
hack, since it doesn't look to the untrained eye like SASL provides a
mechanism for getting information about connection lifetimes.
However, I do think it could be made clearer in the docs that MIT
kerberos is not suitable for use with OpenLDAP.
[sidenote: I will be taking some of this up with the Debian cyrus-sasl2
maintainers too, as they do not seem to support Heimdal gssapi any more]
Thanks,
Dominic.
--
Dominic Hargreaves, Systems Development and Support Team
Computing Services, University of Oxford